[xaduha]

BTW both PIV and GPG in Yubikeys are just applets and not particularly suited for SSH use either. Proper applet for it is this one https://github.com/philipWendland/IsoApplet, if you can install it of course.

Some get confused or have bad associations when hearing the word 'applet', but that is what they are, as in 'Java applet'.

This one is too https://developers.yubico.com/ykneo-oath/Releases/

[knorker]

What makes you say it's not particularly suited for SSH?

[xaduha]

Because they were made for a different purpose, with extra hoops you need to jump through.

[knorker]

U2F was made for a different purpose too.

I don't see what's so extra hoop-y about telling SSH "use key from industry standard PKCS#11". That's literally what it's there for, and when Yubico added PIV support that instantly added support to multiple operating systems (incl Linux & Windows) where SSH keys "just work".

I can take a yubikey today from my Linux system, plug it into a Windows machine, and Putty with wincrypt support "just works". Because that's how it was designed.

[xaduha]

You're using yubikey agent or ykcs11 or yubico-piv-tool or somesuch nonsense most likely that actually provides PKCS#11. That is it wraps whatever PIV is supposed to do and gives you PKCS#11 interface. I'm talking about something that isn't Yubico specific and provides PKCS#11 and PKCS#15 with OpenSC straight ootb.

e.g. issues that described here are avoided https://github.com/FiloSottile/yubikey-agent#alternatives

[knorker]

I'm using opensc straight of the box, with vanilla SSH. I am using ssh-agent, but it works just as well without it.

I can pop my yubikey into a plain vanilla install of Linux and run "ssh -oPKCS11Provider=/path/to/opensc-pkcs11.so user@host.com".

Or just put this into your ~/.ssh/config

Host *

  PKCS11Provider /path/to/opensc-pkcs11.so

Or on a Windows plain vanilla system I just pop the key in and tell putty-cryptoapi to use "the smartcard key". Windows pops up my pinentry dialog, then I touch to verify physical presence, and in I go.

I agree that the gpg-agent way is yuck. But I still don't understand what you mean about the PKCS#11 way though. Yes, setting up the key required yubico tooling. Is that what you're talking about?

[xaduha]

I never owned a yubikey and things probably changed over the years also since I last looked into it. But even so what you have there is a proprietary applet with lots of extensions https://developers.yubico.com/PIV/Introduction/Yubico_extens...

If it works with OpenSC out of the box, then that's because Yubico made it to work. I pretty sure that if you tried to use a publicly available PIV applet that does its PIV duties in accordance with the specs you are not going to have a good time trying to pair it with OpenSSH.